Re: [PATCH wireless-next] wifi: mac80211: fix use-after-free risk in sta... | netdev

(off-list ancestor, not in this archive)
Re: [PATCH wireless-next] wifi: mac80211: fix use-after-free risk in sta debugfs removal · Johannes Berg <johannes@sipsolutions.net> · 2025-07-24
Re: [PATCH wireless-next] wifi: mac80211: fix use-after-free risk in sta debugfs removal · Moon Hee Lee <hidden> · 2025-07-24

Re: [PATCH wireless-next] wifi: mac80211: fix use-after-free risk in sta debugfs removal

From: Johannes Berg <johannes@sipsolutions.net>
Date: 2025-07-24 07:18:34
Also in: linux-kernel-mentees, linux-wireless, lkml

On Thu, 2025-07-24 at 00:15 -0700, Moon Hee Lee wrote:

A NULL pointer dereference may occur in ieee80211_sta_debugfs_remove()
when debugfs_remove_recursive() is called on a dentry whose inode has
already been freed. This can happen due to a race between STA teardown
and debugfs cleanup.

Fix this by checking that both sta->debugfs_dir and its d_inode are
valid before invoking debugfs_remove_recursive().

This avoids the crash reported in syzbot bug:

Maybe so, but it really looks like a bandaid?! Why are we trying to
remove it twice in the first place?

johannes

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help